Comment on Welcome to Lemmy.zip

<- View Parent
swizzlestick@lemmy.zip ⁨1⁩ ⁨day⁩ ago

And a TLD shouldn’t be so easy to mistake for one of the most recognisable filetypes ever, yet here we are. Well made apps discern between a zip file and a zip web address without issue. The problem, as usual, is in the human element:

Having .zip in the string and in the link visible on hover could be all that is needed to ‘sell’ it to a user that makes a cursory glance before clicking - nevermind the ones that just click anyway. Plenty of folk have fallen for more obvious traps than that, so it’s a winner for a bad actor. Any trick that lends legitimacy to a scam increases the chance of success. Users savvy enough to check but not enough to spot the discrepancy may also have more data interesting to an attacker.

Blocking .zip TLDs wholesale at DNS level kills this even if the first and hardest hurdle (getting the user to click) is cleared. I’ll concede that it is an edge case in the grand scheme of things, but why leave the hole open when it is so easily plugged?

source
Sort:hotnewtop